FBI Warning Against Maze Ransomware Attacks

The Federal Bureau of Investigation (FBI) published an alert to warn private companies in the U.S. concerning Maze ransomware attacks. FBI gave the alert after receiving an advisory the use of two ransomware variants, MegaCortex and LockerGoga, in attacks.

The alert concerning Maze ransomware TLP: Green should not have been publicly announced because it provides technical details concerning the attacks and indicators of compromise which private companies could use to dissuade attacks. Making it known to the public benefits the threat actors.

The alert prompts the victims of Maze ransomware attacks to let the FBI know right away to help monitor the attackers and capture them.

The Maze ransomware was first discovered in early 2019, but the first attack on U.S. organizations was in November 2019. There have been more attacks in recent weeks.

What happens during an attack includes network access, data exfiltration, and file encryption. The attacker demands a ransom from the company in exchange for the decryption keys and the wiping out of all stolen data. If the victims refuse to pay before the due date, the culprits will publish the stolen data.

The attack on Pensacola City recently deployed the Maze ransomware. The victims refused to pay the ransom and so the attackers publicized their stolen data. In December, Maze ransomware was deployed in attacking Southwire in Carrollton, GA, a wire and cabling firm. The ransom demand was 850 BTC ($6 million). The attackers threatened to publish the stolen information if the company doesn’t pay the ransom. No payment was made and the attackers published the stolen data on a website using an Irish ISP.

Southwire got a court injunction in Ireland and pressured the ISP to take down the website the Maze attacker created to publish the stolen information. Southwire moreover sued the hackers in the federal court of Georgia. Southwire alleges that the attackers committed a violation of the U.S. Computer Fraud and Abuse Act and is seeking injunctive relief and damages. The case filed was against ‘John Doe’ since the attackers were unknown.

The FBI warning pointed out the different strategies used by threat actors to attack companies, which include malicious cryptocurrency websites, malspam and phishing campaigns, impersonating government bodies and security firms, and ransomware downloads via exploit kits.

The FBI told private U.S. businesses to take note of its warning and fortify their defenses and resolve vulnerabilities. When attacked, the FBI does not recommend paying the ransom since there is no guarantee that the attacker will keep their end of the bargain.